Domain Name System (DNS) Network Security Asset or Achilles Heel? Arya Barirani, VP Product Marketing / Infoblox November 2014
Agenda What is DNS and How Does it Work? Threat Landscape Trends Common Attack Vectors Anatomy of an attack: DNS Hijacking Anatomy of an attack: Reflection Attack Anatomy of an attack: DNS DDoS How To Protect Yourself? Q & A
What is the Domain Name System (DNS)? Address book for all of internet Translates “google.com” to 173.194.115.96 Invented in 1983 by Paul Mokapetris (UC Irvine) Without DNS, The Internet & Network Communications Would Stop
How Does DNS Work? www.google.com Root DNS Server ISP DNS SERVER 173.194.115.96 Root DNS Server “That’s in my cache, it maps to: 173.194.115.96 173.194.115.96 “Great, now I know how to get to www.google.com” “Great, I’ll put that in my cache in case I get another request” “That domain is not in my server, I will ask another DNS Server” 173.194.115.96 “I need directions to www.google.com” ISP DNS SERVER
For Bad Guys, DNS Is a Great Target DNS is the cornerstone of the Internet used by every business/ Government DNS is fairly easy to exploit Traditional protection is ineffective against evolving threats DNS Outage = Business Downtime
The Rising Tide of DNS Threats Are You Prepared? In the last year alone there has been an increase of 200% 58% With possible amplification up to 100x DNS attacks1 DDoS attacks1 on a DNS attack, the amount of traffic delivered to a victim can be huge 28M 2M Pose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2 With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant 33M Number of open recursive DNS servers2 1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter, 2013 2. www.openresolverproject.org
The Rising Tide of DNS Threats DNS attacks are rising for 3 reasons: Countries of origin for the most DDoS attacks in the last year China 1 Easy to spoof US Brazil Russia France India 2 Asymmetric amplification Germany Korea Egypt Taiwan 3 High-value target
DNS Attack Vectors
The DNS Security Challenges Securing the DNS Platform 1 Defending Against DNS Attacks DDoS / Cache Poisoning 2 Preventing Malware from using DNS 3
Anatomy of an Attack Syrian Electronic Army
Distributed Reflection DoS Attack (DrDoS) Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) How the attack works Combines reflection and amplification Internet Uses third-party open resolvers in the Internet (unwitting accomplice) Open Recursive Servers Spoofed Queries Attacker sends spoofed queries to the open recursive servers Reflected Amplified Packets Uses queries specially crafted to result in a very large response Attacker Causes DDoS on the victim’s server Target Victim
Anatomy of an Attack DNS DDoS For Hire DDoS attacks against major U.S financial institutions Launching (DDoS) taking advantage of Server bandwidth 4 types of DDoS attacks: DNS amplification, Spoofed SYN, Spoofed UDP HTTP+ proxy support Script offered for $800
The Rising Tide of DNS Threats TCP/UDP/ICMP floods: Flood victim’s network with large amounts of traffic DNS amplification: Use amplification in DNS reply to flood victim DNS cache poisoning: Corruption of a DNS cache database with a rogue address Protocol anomalies: Malformed DNS packets causing server to crash Top 10 DNS tunneling: Tunneling of another protocol through DNS for data ex-filtration DNS hijacking: Subverting resolution of DNS queries to point to rogue DNS server DNS attacks DNS based exploits: Exploit vulnerabilities in DNS software Reconnaissance: Probe to get information on network environment before launching attack DNS reflection/DrDos: Use third party DNS servers to propagate DDoS attack Fragmentation: Traffic with lots of small out of order fragments
Protection Best Practices
Advanced DNS Protection Help Is On the Way! DNSSEC Collaboration Dedicated Appliances RPZ Monitoring Advanced DNS Protection
Get the Teams Talking – Questions to Ask: Who in your org is responsible for DNS Security? What methods, procedures, tools do you have in place to detect and mitigate DNS attacks? Would you know if an attack was happening, would you know how to stop it? Network Team Security Team IT Apps Team IT OPS Team
Hardened DNS Appliances Conventional Server Approach Hardened Appliance Approach Limited Port Access Threat Update Service Secure Access Multiple Open Ports Dedicated hardware with no unnecessary logical or physical ports No OS-level user accounts – only admin accts Immediate updates to new security threats Secure HTTPS-based access to device management No SSH or root-shell access Encrypted device to device communication Many open ports subject to attack Users have OS-level account privileges on server Requires time-consuming manual updates
Monitoring & Alert on Aggregate Query Rate
DNSSEC Fixes Kaminsky Vulnerability DNS Security Extensions Uses public key cryptography to verify the authenticity of DNS zone data (records) DNSSEC zone data is digitally signed using a private key for that zone A DNS server receiving DNSSEC signed zone data can verify the origin and integrity of the data by checking the signature using the public key for that zone
Advanced DNS Protection Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Automatic updates Updated Threat-Intelligence Server Advanced DNS Protection (External DNS) Grid-wide rule distribution Advanced DNS Protection (Internal DNS) Data for Reports Reporting Server Reports on attack types, severity
Response Policy Zones - RPZ Blocking Queries to Malicious Domains An infected device brought into the office. Malware spreads to other devices on network. 1 4 Malicious domains Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server detects & blocks DNS query to malicious domain 2 Reputational Feed: IPs, Domains, etc. of Bad Servers 2 Internet Query to malicious domain logged security teams can now identify requesting end-point and attmept remediation DNS Server with RPZ Capability 3 Intranet Malware / APT Blocked attempt sent to Syslog 1 RPZ regularly updated with malicious domain data using available reputational feeds 4 3 2 Malware / APT spreads within network; Calls home
Call to Action DNS security vulnerabilities pose a significant threat Raise the awareness of DNS and DNS security vulnerabilities in your organization There are multitudes of resources available to help Seek help if needed to protect DNS
Take the DNS Security Risk Assessment Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats Provides DNS Security Risk Score and analysis based on answers given www.infoblox.com/dnssecurityscore This is a new Security Risk Assessment you can point your customers to any time. It’s on the external web site and customers such as Pep Boys, Twitter, and K-Mart have run assessments. Some major observations about customers in this context: Most don’t perform any security analysis on DNS traffic No team or person chartered with looking specifically at DNS security For those with on-premise external DNS servers no knowledge of how to handle DNS-based DDoS attacks Most of them use conventional DNS services (Microsoft or BIND) Possibly other services running on them Lots of open ports (security risks) Higher score = higher DNS security risk!!
(Fiscal Year Ending July 31) About Infoblox Total Revenue (Fiscal Year Ending July 31) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries ($MM) Leader in technology for network control Market leadership DDI Market Leader (Gartner) 50% DDI Market Share (IDC) 28% CAGR 7,500+ customers 74,000+ systems shipped to 100 countries 55 patents, 29 pending IPO April 2012: NYSE BLOX
Thank you! For more information www.infoblox.com